|
![](/i/fill.gif) |
>>> Arguably that's the most accurate way, but not the most realistic way.
>>> It wouldn't be realistic to run a prospective password through each one
>>> of those tools when setting the password.
>>
>> You don't think so?
>>
>> I think that if you type a password and a cracker can guess it in under
>> 30 seconds, you should definitely pick a different password. But maybe
>> that's just me...
>
> You said "password crackers" (plural). You might have noticed, but users
> aren't exactly patient about things. If it takes all these tools 20
> minutes to decide the password is secure enough, they'll be complaining
> to you that their system hung when they changed their password.
Oh, I see.
Well, yes, the average user doesn't give a fig how secure their password
is, only how difficult it is to remember. I was thinking more of people
who *do* care about such things.
>> On the other hand, salting the password trivially defeats rainbow
>> tables.
>
> Sure, but how many password systems don't use a salt value?
Well, that's true enough, sadly...
(I still remember having a 25-post discussion with Tom Kyte about this.
He still fails to see why salt is useful.)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
![](/i/fill.gif) |